IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Data Breach Numbers, Costs and Impacts All Rise in 2021

By almost any measure, the breadth, depth and impact of data breaches have dramatically increased during the COVID-19 pandemic. Here’s a roundup of the numbers.

numbers and letters on a red background
Shutterstock
Last week, we examined new legislation that would mandate reporting of critical infrastructure data breaches.

But that blog raised many follow-up questions and comments from readers, like:
  • Are ransomware attacks considered data breaches?
  • Show me the numbers — where are the documented increases, and what did they truly cost?
  • How is the U.S. different from the rest of the world when it comes to data breaches and related costs to organizations?

SHOW ME THE NUMBERS


Let’s start by addressing the last two questions.

According to a 2021 report from IBM and the Ponemon Institute, the average cost of a data breach among companies surveyed reached $4.24 million per incident in 2021, the highest in 17 years. Here are some other compelling data points:
  • Remote work impact: The rapid shift to remote operations during the pandemic appears to have led to more expensive data breaches. Breaches cost over $1 million more on average when remote work was indicated as a factor in the event, compared to those in this group without this factor ($4.96 vs. $3.89 million.)
  • Health-care breach costs surged: Industries that faced huge operational changes during the pandemic (health care, retail, hospitality and consumer manufacturing/distribution) also experienced a substantial increase in data breach costs year over year. Health-care breaches cost the most by far, at $9.23 million per incident — a $2 million increase over the previous year.
  • Compromised credentials led to compromised data: Stolen user credentials were the most common root cause of breaches in the study. At the same time, customer personal data (such as name, email, password) was the most common type of information exposed in data breaches — with 44 percent of breaches including this type of data. The combination of these factors could cause a spiral effect, with breaches of username/passwords providing attackers with leverage for additional future data breaches.
  • Modern approaches reduced costs: The adoption of AI, security analytics and encryption were the top-three mitigating factors shown to reduce the cost of a breach, saving companies between $1.25 million and $1.49 million compared to those who did not have significant usage of these tools. For cloud-based data breaches studied, organizations that had implemented a hybrid cloud approach had lower data breach costs ($3.61 million) than those who had a primarily public cloud ($4.8 million) or primarily private cloud approach ($4.55 million).

Getting a bit more specific around data breach trends as well as other cyber attacks for the third quarter of 2021, the Identity Theft Resource Center just issued a press release with some additional startling numbers. Here are a few of the top highlights:

  • The number of data breaches publicly reported in the U.S. decreased 9 percent in Q3 2021 (446 breaches) compared to Q2 2021 (491 breaches). However, the number of data breaches through September 30, 2021 has exceeded the total number of events in full-year 2020 by 17 percent (1,291 breaches in 2021 compared to 1,108 breaches in 2020). 
  • For Q3 2021, the number of data compromise victims (160 million) is higher than Q1 and Q2 2021 combined (121 million). The dramatic rise in victims is primarily due to a series of unsecured cloud databases, not data breaches.
  • The total number of cyber attack-related data compromises year-to-date (YTD) is up 27 percent compared to FY 2020. Phishing and ransomware continue to be, far and away, the primary attack vectors. 

IS A RANSOMWARE ATTACK CONSIDERED A DATA BREACH?



Which brings us to the first question above, and the simple answer on whether ransomware equates to a data breach is … it depends. I like this problem description and answer from Kroll.com from earlier this year:

“Historically, one difference between a company victimized by ransomware and those hit with a hacking intrusion that resulted in stolen data was that in a ransomware attack, the data wasn’t actually stolen, but was encrypted so that the victim would have to pay a ransom to regain access. Unlike traditional data thefts, ransomware — the theory went — didn’t really steal data. It encrypted it so that the authorized users couldn’t get to it unless a ransom was paid. As a result, most organizations treated ransomware attacks as simply a business continuity or disaster recovery response although, a true corporate insult to injury, organizations were expected to pay for what they already owned. Now, nearly half of ransomware attacks steal data before encrypting systems, which means that ransomware is no longer just a business continuity or disaster recovery response; it is a full cybersecurity incident response because the attack may very well constitute a data breach if stolen records include protected data.”

So this begs more questions regarding the data breach numbers from multiple sources. Do these numbers include the records that may have been compromised in the growing number of ransomware attacks?

This YouTube video from “The Breach Report” explains more about Kaseya ransomware and describes some of the details regarding indicators of compromise, characteristics and attack vectors.

U.S. TO SUE CONTRACTORS THAT DON'T REPORT DATA BREACHES


One more related topic that I want to throw in the mix this week. AP News reported this past week that the U.S. is poised to sue contractors who don’t report cyber breaches:

The Justice Department is poised to sue government contractors and other companies who receive U.S. government grants if they fail to report breaches of their computer systems or misrepresent their cybersecurity practices, the department’s No. 2 official said Wednesday.

"Deputy Attorney General Lisa Monaco said the department is prepared to take action under a statute called the False Claims Act that permits the government to file lawsuits over misused federal funds. The Justice Department will also protect whistleblowers who come forward to report those issues, she said.”

FINAL THOUGHTS


In addition to the game-changing nature of the Colonial Pipeline ransomware attack, which unmasked the severity of our online problems to the world, the surge in data breaches and related costs to enterprises is becoming unsustainable.

Put simply, something has to give in a world where cyber teams are maxed out and even losing staff to competitors. Security teams, especially in the public sector, have many vacancies and are often in a constant fire-fighting mode.

It remains to be seen what solutions can “stem the flow of rising water” that is overwhelming many cyber defense programs at the moment.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.